Fixes for latest ST33KTPM IAK/IDevID provisioning. Added documentation for build options.

2024-07-24 17:13:21 -07:00 · 2024-07-24 17:13:21 -07:00 · dc2b91d056
parent fb7e321ac0
commit dc2b91d056
2 changed files with 27 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -822,6 +822,14 @@ Connection: close
 </html>
 ```
 ## Device Identity and Attestation Keys
 The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.
 This feature has been tested with the ST33KTPM and is enabled with `WOLFTPM_MFG_IDENTITY`. The ST33KTPM samples are provisioned with a default master password enabled with `TEST_SAMPLE`. To define your own master password use `TPM2_IAK_SAMPLE_MASTER_PASSWORD`. The master password is hashed along with the device serial number to produce authentication for accessing these keys.
 The default keys are ECDSA SECP384R1 with SHA2-384 and stored in NV Index defined by `TPM2_IAK_KEY_HANDLE`, `TPM2_IAK_CERT_HANDLE`, `TPM2_IDEVID_KEY_HANDLE` and `TPM2_IDEVID_CERT_HANDLE`.
 ## Todo
--- a/wolftpm/tpm2_wrap.h
+++ b/wolftpm/tpm2_wrap.h
@ -3718,16 +3718,27 @@ WOLFTPM_API int wolfTPM2_PolicyAuthValue(WOLFTPM2_DEV* dev,
-/* pre-provisioned IAK and IDevID key/cert from TPM vendor */
+/* Pre-provisioned IAK and IDevID key/cert from TPM vendor */
 /* Tested with ST33KTPM devices */
 /* Default assumes: ECDSA SECP384R1, SHA2-384 */
 #ifdef WOLFTPM_MFG_IDENTITY
-/* Initial attestation key (IAK) and an initial device ID (IDevID) */
+/* Initial Attestation Key (IAK):
-/* Default is: ECDSA SECP384P1, SHA2-384 */
+ * Restrictive: Can only sign data generated by the TPM like a TPM2_Quote */
-#define TPM2_IAK_KEY_HANDLE     0x81080000
+#ifndef TPM2_IAK_KEY_HANDLE
-#define TPM2_IAK_CERT_HANDLE    0x1C20100
+#define TPM2_IAK_KEY_HANDLE     0x81020001
-
+#endif
-#define TPM2_IDEVID_KEY_HANDLE  0x81080001
+#ifndef TPM2_IAK_CERT_HANDLE
-#define TPM2_IDEVID_CERT_HANDLE 0x1C20101
+#define TPM2_IAK_CERT_HANDLE    0x1C90100
 #endif
 /* Initial Device ID (IDevID):
 * Non-Restrictive: Can sign external data */
 #ifndef TPM2_IDEVID_KEY_HANDLE
 #define TPM2_IDEVID_KEY_HANDLE  0x81020000
 #endif
 #ifndef TPM2_IDEVID_CERT_HANDLE
 #define TPM2_IDEVID_CERT_HANDLE 0x1C90200
 #endif
 WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle,
    uint8_t* masterPassword, uint16_t masterPasswordSz);